Adapt Debian API to consider package registry access level
What does this MR do and why?
Solves #385258 (closed)
This MR is a step of #329253 (closed) (see implementation plan):
- In !82808 (merged), we added a new Package Registry visiblity setting in the project settings to allow access to the package registry for everyone even in private projects - behind the
package_registry_access_level
feature flag. - In !90963 (merged) and !97001 (merged), we modified the package policies to consider the new setting - behind the
read_package_policy_rule
feature flag and cleaned up in !96767 (merged).
Now, we need to modify the APIs of all package types to the changes: This MR adapts the Debian API.
Why do we need to modify the API if considering the new setting has already been implemented in the policies?
Currently, it checks in a first step if there's access to the project (:read_project
permission). If not, the request is aborted prematurely. The :read_package
permission is checked only in a second step.
But with the new project settings, it's possible that there's NO access to the project itself (:read_project
permission), but there's access to the package registry (:read_package
permission).
So we must not check for the :read_project
permission first.
/cc @bufferoverflow
How to set up and validate locally
-
Enable the feature flags:
Feature.enable(:read_package_policy_rule) Feature.enable(:debian_packages)
-
Try to use the Debian API of a private project as anonymous (see docs):
➡ 404 Project Not Found
GET projects/:id/packages/debian/dists/*distribution/Release
GET projects/:id/packages/debian/dists/*distribution/InRelease
GET projects/:id/packages/debian/dists/*distribution/Release.gpg
GET projects/:id/packages/debian/dists/*distribution/:component/binary-:architecture/Packages
GET projects/:id/packages/debian/dists/*distribution/:component/binary-:architecture/by-hash/SHA256/:file_sha256
GET projects/:id/packages/debian/dists/*distribution/:component/debian-installer/binary-:architecture/Packages
GET projects/:id/packages/debian/dists/*distribution/:component/debian-installer/binary-:architecture/by-hash/SHA256/:file_sha256
GET projects/:id/packages/debian/dists/*distribution/:component/source/Sources
GET projects/:id/packages/debian/dists/*distribution/:component/source/by-hash/SHA256/:file_sha256
-
Change the
package_registry_access_level
of the private project to allow access for everyone:project = Project.find(2) project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC)
-
Try to use the Debian API of a private project as anonymous (see docs):
➡ 200 OK
GET projects/:id/packages/debian/dists/*distribution/Release
GET projects/:id/packages/debian/dists/*distribution/InRelease
GET projects/:id/packages/debian/dists/*distribution/Release.gpg
GET projects/:id/packages/debian/dists/*distribution/:component/binary-:architecture/Packages
GET projects/:id/packages/debian/dists/*distribution/:component/binary-:architecture/by-hash/SHA256/:file_sha256
GET projects/:id/packages/debian/dists/*distribution/:component/debian-installer/binary-:architecture/Packages
GET projects/:id/packages/debian/dists/*distribution/:component/debian-installer/binary-:architecture/by-hash/SHA256/:file_sha256
GET projects/:id/packages/debian/dists/*distribution/:component/source/Sources
GET projects/:id/packages/debian/dists/*distribution/:component/source/by-hash/SHA256/:file_sha256
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.